使用服务帐户登录Google计算引擎
[英]Logging into google compute engine with a service account
问题描述
I have spent the entire day today reading documentations and questions on stackexchange on trying to use service account to logon to a compute engine but have got no where. 
我今天整天都在阅读有关stackexchange的文档和问题,以尝试使用服务帐户登录到计算引擎,但是却无处可寻。
I am new to google cloud, so pardon my knowledge. 我是Google Cloud的新手,请原谅我的知识。
We are trying to setup a long running service on a google compute engine. 我们正在尝试在Google计算引擎上设置长期运行的服务。 We want the service to be run as a system account but not on individual account so as to allow troubleshooting privileges across the team but not specific users. 我们希望该服务作为系统帐户而不是在单个帐户上运行,以便允许整个团队(而非特定用户)的故障排除特权。 We thought that service account of GCP should be able to accomplish this but we havent been able to get to logon to a compute engine as a service account. 我们认为GCP的服务帐户应该能够完成此任务,但是我们还无法作为服务帐户登录到计算引擎。 We took the following steps to try this out - 我们采取了以下步骤来进行尝试-
- create service account and give serviceaccountuser permissions to the team. 创建服务帐户,并将serviceaccountuser权限授予团队。 Also create rsa key for the service account that were distributed to the team. 还要为分配给团队的服务帐户创建rsa密钥。
- use gcloud auth activate-service-account to switch to the service account 使用gcloud auth activate-service-account切换到服务帐户
- gcloud init to the service account and setup configuration gcloud初始化到服务帐户和设置配置
- use gcloud compute ssh . 使用gcloudcompute ssh。
We hoped to be able to logon to the instance as the service account since we switched identity before logging on. 我们希望能够以服务帐户身份登录该实例,因为我们在登录之前切换了身份。 But we are not getting the desired effect. 但是我们没有得到预期的效果。
questions - 问题-
- Can service accounts be actually used to logon to compute engine? 服务帐户可以实际用于登录到计算引擎吗?
- if not, what is the purpose of configuring a service account to run as when creating a VM on GCP. 如果不是,那么配置服务帐户以在GCP上创建VM时运行的目的是什么。
- if not, what is the right way to run a service on a compute engine using a system account that everybody can have access to? 如果不是,使用每个人都可以访问的系统帐户在计算引擎上运行服务的正确方法是什么?
- if yes, what are we missing? 如果是,我们还缺少什么?
Thanks a lot for solving the confusion in advance, 非常感谢您提前解决了困惑,
1 个解决方案
解决方案1
2 已采纳 2018-06-01 00:21:57
The service account allows the Compute Engine instance to access other Google APIs. 该服务帐户允许Compute Engine实例访问其他Google API。 For example, the instance might need to access private content from Storage buckets or connect to a Datastore. 例如,该实例可能需要访问存储存储桶中的私有内容或连接到数据存储。 See https://cloud.google.com/iam/docs/service-accounts 请参阅https://cloud.google.com/iam/docs/service-accounts
In order to give your team members (ssh) access to a compute engine instance, you add them as members to the project by adding their Google accounts. 为了使您的团队成员(ssh)可以访问计算引擎实例,您可以通过添加其Google帐户将其添加为项目的成员。 Specify their level of access so they can only list and ssh in, but not create or delete. 指定他们的访问级别,这样他们只能列出和ssh进入,而不能创建或删除。 I think you want a new role with "Compute OS Login" permission. 我认为您想要具有“计算操作系统登录”权限的新角色。 They don't need billing set up either. 他们也不需要设置帐单。 See https://cloud.google.com/iam/docs/granting-changing-revoking-access 请参阅https://cloud.google.com/iam/docs/granting-changing-revoking-access
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.